Contrib.social

Question about HSTS max-age

Open on Drupal.org →
Created on 21 March 2024, 6 months ago
Updated 30 May 2024, 4 months ago

Hello,
I have installed the seckit module and am evaluation all the features and settings.
The HSTS Strict Transport Security settings has a default max-age of 1000 (seconds)
When I read about this feature all resources I find explain to use a much longer period, up to a year.
Is there a specific reason that 1000 was chosen as the default?
Greetings,
Rob

💬 Support request
Status

Active

Version

2.0

Component

Miscellaneous

Created by

🇳🇱Netherlands RobBNL

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @RobBNL
  • Comment 4 months ago
    🇨🇿Czech Republic Petr Illek

    @RobBNL I would asume it is a safe value for the start. When you use it the HSTS instruction is being stored outside your server in a central DB from where the browsers are taking the information. If you do have some misconfiguration, or issue with SSL certificate, it may render your site inaccessible for a long time. So it is better to start with a quick turnaround and when you are sure all is working properly, then you can set a longer period.
    Miminum max-age to be included in the preload database is 31536000 seconds (1 year).
    More info here: https://hstspreload.org/.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024